Pwn2Own: the real story behind browser hacks

It is getting harder to write exploits, but if someone really wants to do it, they still can, says Dr Charlie Miller, a renowned security researcher. Photo by: Alexander Klink

Are browsers any more secure today than a year ago? Apparently not - the annual “Browsers hacked in five minutes” headlines did the rounds recently after the Pwn2Own competition at CanSecWest.

The good news is that those headlines are meaningless, and we'll explain why. The bad news is that browsers are still desperately insecure.

We asked Dr Charlie Miller, a renowned security researcher and ex-NSA specialist who won Pwn2Own four times, and Haroon Meer, a South African security expert and founder of Thinkst Applied Research, to distil the hype into reality. Dr Miller is a headline speaker at this year's ITWeb Security Summit.

Pwn2Own - take your best shot

Pwn2Own is a yearly competition at which security researchers compete to hack fully-patched browsers, mobile phones or other systems, and to create on-the-fly attacks against systems with specific vulnerabilities left unpatched. The event is sponsored by Hewlett-Packard (technically, it's organised by the Zero Day Initiative, run by Tipping Point, which is a division of HP) and carries a total prize fund of $105 000.

Google, whose Chrome browser uses a sandbox model to thwart attackers, and which has escaped attention in previous competitions, upped the ante this year with a separate “Pwnium” competition run in parallel with Pwn2Own. The search giant opposed the new Pwn2Own rules which allowed researchers to keep the details of their exploits secret, and offered a prize purse of $1 million to be allocated in tranches of up to $60 000 for each fully-functioning Chrome exploit, provided the full details were disclosed.

The response was immediate and brutal - Chrome was the first browser to fall on the opening day, within minutes of the event beginning. Researchers stepped up to the plate with several attacks on Google's browser.

Top-performing security researcher Vupen, taking part in Pwn2Own rather than Google's Pwnium, demonstrated full sandbox escape and code execution via a zero-day exploit using Flash. That attack was followed by a separate successful sandbox break-out by Sergey Glazunov, who used two zero-day exploits in conjunction for the attack. Glazunov is no stranger to Google - he has a long history of collecting bounties from Google for his security research.

Then, just before the end of the competition, a teenager going by the handle “Pinkie Pie” used a combination of three zero-day exploits, which he claimed to have researched in just 10 days, to break out of Chrome's sandbox as well.

Glazunov and Pinkie Pie both collected $60 000 from Google. The vendor patched the vulnerabilities quickly, pushing out updates within 24 hours.

Vupen, winning the Pwn2Own competition with successful exploits against Chrome and Firefox, netted that competition's first place purse of $60 000.

Reality check: nothing was hacked in five minutes

Pwn2Own is frequently misunderstood, and excitable reportage around the event doesn't help. “Chrome/Firefox/IE hacked in five minutes” is often misinterpreted to mean a team of hackers turned up and cracked a browser from a cold start. This is mistaken: zero-day exploits are usually the result of weeks or months of painstaking research and development work, efforts which can be rendered worthless at a stroke if a vendor finds the flaw and patches it (the test systems at Pwn2Own are fully patched). The time it takes to conduct the exploit is more often the time it takes to upload enough data to cause a buffer overflow, or for chained exploits to succeed, and invoke the next in the chain.

Rules of Pwn2Own

Pwn2Own ran under a different set of rules this year, with a points system for exploits instead of the race to be first of previous competitions. The rules also allow researchers to keep some details of their exploits to themselves, a practice met with criticism. That does mimic the real world of security research - Vupen stated openly that it had come to the competition armed with several zero-day exploits for all major browsers, some of which it declined to demonstrate.

“Researchers spend months working on their exploits and the time taken to exploit it on the day means nothing,” Meer agrees. “Unfortunately, you can't really infer too much for what this means in the wild.”

And merely finding a flaw is only one step: “weaponising” it, or turning it into an exploit which can be used to actually take control of a victim, is the real jackpot, whether you are a security researcher or black-hat hacker.

That part of the process is becoming more difficult, says Miller. “[Finding flaws] is not much harder. However, the big change is how much harder it is to exploit vulnerabilities. If you look at Pwn2Own, even two to three years ago you needed to have one decent vulnerability and then you could write an exploit pretty easily. This year, most of the winning exploits required two to three vulnerabilities each. You need to break the memory randomisation, get code running, and break out of the sandboxes, all requiring different vulnerabilities. It is a bit unnerving that the participants were able to find so many vulnerabilities, but it is good news that they had to find so many to get code running on the targets.”

This also means the measure of security should be on how hard a product is to attack, rather than the number of flaws, Miller says. “The gains probably aren't in the number of vulnerabilities we see in products, but rather in how hard it is to exploit them. If you look over the years that I won the competition, initially it probably took me a week to win and the last time took around a month of effort. This year the effort was more than I was willing to expend. It is getting harder to write exploits, but if someone really wants to do it, they still can.”

This is the motivation behind Google's insistence on disclosure at Pwnium: swatting single bugs is good, but fixing the ecosystem is better. “We have a big learning opportunity when we receive full end-to-end exploits,” wrote Google's security team in a blog post announcing Pwnium. “Not only can we fix the bugs, but by studying the vulnerability and exploit techniques we can enhance our mitigations, automated testing, and sandboxing.”

Show me the money

For researchers who do find working exploits, the payoff is worth it. And as the task becomes harder, that only raises the stakes. Competitions like Pwn2Own offer cash rewards and kudos in the community, but for groups like Vupen the real money lies in customers who pay handsomely for early warning of vulnerabilities such as these - among its other services, Vupen sells guaranteed zero-day exploits to governments and law-enforcement agencies.

ITWeb Security Summit

Dr Miller is one of the headline speakers at the ITWeb Security Summit and Awards, taking place from 15 to 17 May. For more information and to reserve your seat, please click here.

$60 000 at Pwn2Own sounds like a lot, but in this game, it's merely a taster. “With the browser reward programmes, a common war cry is that the vendors do not offer enough (in terms of a bounty) to encourage researchers to disclose their bugs. $60 000 is not insignificant, but at least one group there had the bugs to claim the prize, but did not.”

If you're at the top level of security research, demonstrating your expertise at Pwn2Own is not about the money: it's all about reputation and marketing.

But while it might be small change to the big players, the prizes do encourage the community, Miller notes. “Money is a good motivator! If you look at these bug bounty programmes, they have many active participants. Most of these people you won't have heard of. Even the big prizes, like Pwn2Own, about half the time, it is someone not previously well known. Even this year, at least one person won at Pwnium who I hadn't heard of before.”

The correlation is worrying, though. “[The prize shows that] enough people are willing to step up and deliver the exploits,” says Meer. “To me this is a clear indication that such attacks are possible most days of the week, to moderately funded/skilled adversaries.”

Short answer: $20k buys you a working zero-day exploit. Use it wisely.

Bottom line: your browser is still at risk

Miller and Meer are unanimous that security in browser development has improved enormously, but the vulnerabilities are still there. The uncomfortable fact is that zero-day exploits are still a concern, are traded commercially, and can result in complete system compromise. Drive-by exploits can be embedded in otherwise innocent sites (such as a compromised ad server delivering exploit code along with banner ads to third party sites). Your anti-virus, Web filter, IPS and firewall are important security tools, but they're unlikely to stop a zero-day exploit in the wild. (To be fair, they might well mitigate the follow-up attack. Don't throw your firewall away just yet!)

Definition

Pwn (v): to dominate an opponent or gain control of a target computer. Originally a misspelling of “own” in online gaming.

“The browser is amazingly hard to secure,” Meer points out. “The feature race between browser vendors means new code is being added constantly. The browser supports scripting languages that effectively allow an attacker fine grained control of a machine - this is why even though new operating systems have generic protection like DEP and ASLR, browser-based attacks manage to work around them.” Plugins and third-party software, like Adobe Flash, also contribute greatly to the problem.

The most effective mitigation is to disable JavaScript entirely. Of course, that will break your Web browsing experience almost completely, but it will also prevent most malware. JavaScript interpreters themselves are not the culprits, but in most cases it is scripts which load the exploit components. If you are willing to put the effort into managing it on a case by case basis, add-ons like NoScript for Firefox allow the user fine-grained control over what sites may execute scripts in the browser.